Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5901: Deny interactive shell but allow scripts

12 April,16 at 11:46 AM

Applies to: All versions of Centrify DirectControl on all platforms.

Question:

How can I deny interactive shells, but still allow (secured) scripts  or commands to be executed with "-i", so as to adopt the 'run as' user's environment?


Answer:

This configuration is entirely possible through command definition assignments for preventing users from spawning interactive shells via 'dzdo'. Here is an example configuration to accomplish this that will deny interactive shell, yet still allow running secured scripts or commands (to be configured within Access Manager; under <Zone>/Authorization/UNIX Right Definitions/Commands):


---- Allow direct execution of secured scripts/binaries at the designated path

Name: allow secure path
Command: /allowed/path/*
Form: Glob expressions
Run As: root

---- Allow execution of secured scripts/binaries with the designated shell at the designated path

Name: allow shell script - 1
Command: csh /allowed/path/*
Form: Glob expressions
Run As: root

---- Allow execution of secured scripts/binaries with the designated shell, at the designated path, and with interactive shell ('dzdo -i' will prompt '<shell> -c <command>')

Name: allow shell script - 2
Command: csh -c /allowed/path/*
Form: Glob expressions
Run As: root

---- Denial of explicit start of interactive shell

Name: deny interactive shell - 1
Command: !csh$
Form: Regular expressions
Run As: root

---- Denial of prompting an interactive shell without arguments (eg. This would match/block 'dzdo csh -i', but would not match and thus allow 'dzdo csh -i /allowed/path/*', due to our prior definitions)
Note: The space proceeding the '$' (end-of-line) is required for this to function as expected.

Name: deny interactive shell - 2
Command: !csh -.+ $
Form: Regular expressions
Run As: root



Demonstration using the above command definitions:

[root@lab-rhes66-64 ~]# cat /tmp/scripttest.csh 
#!/bin/csh 
echo "Secure script test" $0 
[root@lab-rhes66-64 ~]# diff /root/work/scripttest.csh /tmp/scripttest.csh 
[root@lab-rhes66-64 ~]# ls -l /tmp/scripttest.csh 
-rwxr-xr-x. 1 cook unixuser 35 Oct 28 09:33 /tmp/scripttest.csh 
[root@lab-rhes66-64 ~]# ls -l /root/work/scripttest.csh 
-rwxr-xr-x. 1 root root 35 Oct 28 09:34 /root/work/scripttest.csh 

[user1@lab-rhes66-64 ~]$ /tmp/scripttest.csh 
Secure script test /tmp/scripttest.csh 
[user1@lab-rhes66-64 ~]$ dzdo csh 
Sorry, user user1 is not allowed to execute '/bin/csh' as root on lab-rhes66-64. 
[user1@lab-rhes66-64 ~]$ dzdo csh ls 
Sorry, user user1 is not allowed to execute '/bin/csh ls' as root on lab-rhes66-64. 
[user1@lab-rhes66-64 ~]$ dzdo csh /tmp/scripttest.csh 
Sorry, user user1 is not allowed to execute '/bin/csh /tmp/scripttest.csh' as root on lab-rhes66-64. 
[user1@lab-rhes66-64 ~]$ 
[user1@lab-rhes66-64 ~]$ dzdo csh /root/work/scripttest.csh 
Secure script test /root/work/scripttest.csh 
[user1@lab-rhes66-64 ~]$ dzdo /root/work/scripttest.csh 
Secure script test /root/work/scripttest.csh 
[user1@lab-rhes66-64 ~]$ dzdo -i /root/work/scripttest.csh 
Secure script test /root/work/scripttest.csh 
[user1@lab-rhes66-64 ~]$ 






======= (Optional) Variation to the above definitions. This will accomplish the same results, but is a bit more flexible with allowances:

Note: This variation is not production-ready in completeness due to the 'Catch-all' definition. This configuration would need to be tailored to fit your environment and requirements. Explicit denials of things that are not allowed should be configured. The base template below will block interactive shell for anything not contained within '/allowed/path/' and interactive shell spawning without contextual arguments (ie. '<shell> -i' )



---- Allow anything not explicitly denied via '!<command>$' definitions

Name: Catch-all
Command: *
Form: Glob expressions
Run As: root
Path: Specific path: *

---- Denial of explicit start of interactive shell

Name: deny interactive shell - 1
Command: !csh$
Form: Regular expressions
Run As: root

---- Deny interactive shell with all options, save for '-c', which will be reserved for 'dzdo -i' allowances

Name: deny interactive shell - 2
Command: !csh -[A-Zabd-z0-9]+$
Form: Regular expressions
Run As: root

---- Allow execution of secured scripts/binaries with the designated shell at the designated path

Name: allow shell script - 1
Command: csh /allowed/path/*
Form: Glob expressions
Run As: root

---- Allow execution of secured scripts/binaries with the designated shell, at the designated path, and with interactive shell ('dzdo -i' will prompt '<shell> -c <command>')

Name: allow shell script - 2
Command: csh -c /allowed/path/*
Form: Glob expressions
Run As: root



Demonstration:

[user1@lab-cent66-64b ~]$ dzdo csh 
Sorry, user user1 is not allowed to execute '/bin/csh' as root on lab-cent66-64b. 
[user1@lab-cent66-64b ~]$ dzdo csh -i 
Sorry, user user1 is not allowed to execute '/bin/csh -i' as root on lab-cent66-64b. 

[user1@lab-cent66-64b ~]$ dzdo /tmp/graytest.sh <====== this will be allowed by catch-all 
Sorry, user user1 is not allowed to execute '/tmp/graytest.sh' as root on lab-cent66-64b. 
[user1@lab-cent66-64b ~]$ dzdo /allowed/path/graytest.sh 
Secured script test /allowed/path/graytest.sh 

[user1@lab-cent66-64b ~]$ dzdo csh /tmp/graytest.sh <===== this will be allowed by catch-all 
Sorry, user user1 is not allowed to execute '/bin/csh /tmp/graytest.sh' as root on lab-cent66-64b. 
[user1@lab-cent66-64b ~]$ dzdo csh /allowed/path/graytest.sh 
Secured script test /allowed/path/graytest.sh 
[user1@lab-cent66-64b ~]$ dzdo csh emacs <===== this will be allowed by catch-all 
Sorry, user user1 is not allowed to execute '/bin/csh emacs' as root on lab-cent66-64b. 

[user1@lab-cent66-64b ~]$ dzdo -i /allowed/path/graytest.sh 
Secured script test /allowed/path/graytest.sh 
[user1@lab-cent66-64b ~]$ dzdo csh -c /allowed/path/scripttest.sh 
Secured script test /allowed/path/scripttest.sh 
[user1@lab-cent66-64b ~]$ dzdo csh -v /allowed/path/scripttest.sh 
Sorry, user user1 is not allowed to execute '/bin/csh -v /allowed/path/scripttest.sh' as root on lab-cent66-64b. 

[user1@lab-cent66-64b ~]$ dzdo -i /tmp/scripttest.sh <===== this will be allowed by catch-all 
Sorry, user user1 is not allowed to execute '/bin/csh -c /tmp/scripttest.sh' as root on lab-cent66-64b. 
[user1@lab-cent66-64b ~]$ dzdo csh -c /tmp/scripttest.sh <===== this will be allowed by catch-all 
Sorry, user user1 is not allowed to execute '/bin/csh -c /tmp/scripttest.sh' as root on lab-cent66-64b.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.